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LISTING OF CLAIMS: 

1 . (Original) A method for dynamically assessing threats to computers and computer 
networks using one or more security devices that generate events, comprising: 

reading policy configuration information, wherein the policy configuration information 
comprises a global threat assessment event generation probability and one or more dynamic 
threat assessment rules comprising event probability information; 

generating one or more abstract data types fox each of the one or more dynamic threat 
assessment rules; 

collecting and storing events from the one or more security devices in an event collection 
database; 

reading each event in the event collection database; 

determining if the each event is a member of each instance of the one or more abstract 
data types for each of the one or more dynamic threat assessment rules; 

if the each event is a member of the each instance, adding the each event to the each 
instance and computing a probability of the each instance; 

determining if the probability is greater than the global threat assessment event 
generation probability; 

if the probabili ty is greater than the global threat assessment event generation probability, 
generating a dynamic threat assessment event and placing the dynamic threat assessment event in 
the event collection database; 

determining if the each event is a starting member of an instance of the one or more 
abstract data types for each of the one or more dynamic threat assessment rules; and 
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if the each event is a starting member of the instance, creating the instance and adding the 
each event to the instance. 

2. (Original) The method of claim 1, wherein the one or more security devices comprise 
an intrusion detection system, a network intrusion detection system, a host intrusion detection 
system, a router, a firewall, and a system logger, 

3. (Original) The method of claim 1, wherein the policy configuration information 
further comprises rule probability thresholds. 

4. (Original) The method of claim I, wherein the policy configuration information 
further comprises event collection database configurations. 

5. (Original) The method of claim t, wherein the policy configuration information 
further comprises operation parameters. 

6. (Original) The method of claim 1, wherein the one or more abstract data types 
comprise graphs, trees, lists, state machines, hash tables, and Bayesian networks. 

7. (Original) The method of claim 1 , wherein the probability of the each instance is 
computed based on one or more of the conditions comprising a number of other events, a type of 
the other events, an order of the other events, and a timing of the other events. 

8. (Original) The method of claim 3, further comprising determining if the probability is 
greater than a rule probability threshold for the each instance. 

9. (Original) The method of claim 8, further comprising if the probability is greater than 
the rule probability threshold for the each instance, generating a dynamic threat assessment event 
and placing it in the event collection database. 
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10. (Original) The method of claim 1, further comprising receiving and storing events 
from the one or more security devices in the event collection database. 

1 1 . (Original) The method of claim 1 , further comprising removing the each instance 
from memory, i f the probability is greater than the global threat assessment event probability. 

12. (Original) The method of claim 8, further comprising removing the each instance 
from memory, if the probability is greater than the rule probability threshold for the each 
instance. 

13. (Original) A system for dynamically assessing threats to computers and computer 
networks, comprising: 

one or more security devices that generate events; 

an event collection database, wherein the event collection database collects and stores 
events of the one or more security devices; 

policy configuration information, wherein the policy configuration information comprises 
a global threat assessment event generation probability and one or more dynamic threat 
assessment rules comprising event probability information; and 

a dynamic threat assessment engine, 

wherein the dynamic threat assessment engine accepts the policy configuration 
information; 

wherein the dynamic threat assessment engine generates one or more abstract data types 
for the one or more dynamic threat assessment rules; 

wherein the dynamic threat assessment engine reads each event in the event collection 
database; 
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wherein the dynamic threat assessment engine determines if the each event is a member 
of each instance of the one or more abstract data types for each of the one or more dynamic 
threat assessment rules; 

wherein if the each event is a member of the each instance, the dynamic threat assessment 
engine adds the each event to the each instance and computes a probability of the each instance; 

wherein the dynamic threat assessment engine determines if the probability is greater 
than the global threat assessment event generation probability; 

wherein if the probability is greater than the global threat assessment event generation 
probability, the dynamic threat assessment engine generates a dynamic threat assessment event 
and places the dynamic threat assessment event in the event collection database; 

wherein the dynamic threat assessment engine determines if the each event is a starting 
member of an instance of the one or more abstract data types for each of the one or more 
dynamic threat assessment rules; and 

wherein if the each event is a starting member of the instance, the dynamic threat 
assessment engine creates the instance and adds the each event to the instance, 

14. (Original) The system of claim 13, wherein the one or more security devices 
comprise an intrusion detection system, a network intrusion detection system, a host intrusion 
detection system, a router, a firewall, and a system logger, 

1 5. (Original) The system of claim 1 3, wherein the policy configuration information 
further comprises rule probability thresholds. 

16. (Original) The method of claim 13, wherein the policy configuration information 
further comprises event collection database configurations. 

5 

PAGE 5/8'RCVDAT 6/26/2007 2:08:18 PM [Eastern Daylight Time] * SVR:USPT0-EFXRF-1/8 * DNIS:2738300 * CSID:70370791 12 ' DURATION (mm-ss):02-08 



• 06/26/2007 14:04 7037079112 POSZ LAW GROUP PAGE 

Serial No. 10/806,434 Attorney Docket No. 61-005T 

17. (Original) The method of claim 13> wherein the policy configuration information 
further comprises operation parameters, 

18. (Original) The system of claim 1 3, wherein the one or more abstract data types 
comprise graphs, trees, lists, state machines, hash tables, and Bayesian networks. 

1 9. (Original) The system of claim 13, wherein the probability of the each instance is 
computed based on one or more of the conditions comprising a number of other events, a type of 
the other events, an order of the other events, and a timing of the other events. 

20. (Original) The system of claim 15, wherein the dynamic threat assessment engine 
determines if the probability is greater than a rule probability threshold for the each instance. 

2 1 . (Original) The system of claim 20, wherein if the probability is greater than the rule 
probability threshold for the each instance, the dynamic threat assessment engine generates a 
dynamic threat assessment event and places it in the event collection database. 

22. (Original) The system of claim 13, wherein the event collection database receives 
and stores events from the one or more security devices. 

23. (Original) The method of claim 1 3, wherein the dynamic threat assessment engine 
removes the each instance from memory, if the probability is greater than the global threat 
assessment event probability, 

24. (Original) The method of claim 20, wherein the dynamic threat assessment engine 
removes the each instance from memory, if the probability is greater than the rule probability 
threshold for the each instance. 

25. (Original) The system of claim 13, wherein the event collection database comprises 
the logging system of a security device that generates events. 
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26. (Original) The system of claim 13, further comprising a management console 
comprising the event collection database, the policy configuration information, and the dynamic 
threat assessment engine. 

27. (Canceled) 
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